Privacy and Anonymity Using Anonymizing Networks –II

CS 436/636/736 Spring 2012

Nitesh Saxena

Some slides borrowed from Philippe Golle, Markus Jacobson

Course Admin

•Mid-term exams returned•HW3 to be posted very soon

Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

Today’s Outline

• Re-encryption based mix networks– Secret sharing– Research flavor

Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

Principle Chaum ’81

Message 1

Message 2

server 1 server 2 server 3

PrivacyEfficiencyTrustRobustness

Requirements :

But what about robustness?

encr(Berry)encr(Kush)

encr(Kush)

Kush

Kush

Kush

STOP

I ignore his

outputand

produce my own

There is no robustness!

Zoology of Mix Networks

• Decryption Mix Nets [Cha81,…]:– Inputs: ciphertexts– Outputs: decryption of the inputs.

• Re-encryption Mix Nets[PIK93,…]:– Inputs: ciphertexts– Outputs: re-encryption of the inputs

Inputs Outputs?

Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

First SolutionChaum ’81, implemented by Syverson, Goldschlag

Not robust (or: tolerates cheaters for correctness)

Requires every server to participate (and in the “right” order!)

Re-encryption Mixnet0. Setup: mix servers generate a shared key

1. Users encrypt their inputs: Input Input Pub-key

3. A quorum of mix servers decrypts the outputs

Output OutputPriv-key

Server 1 Server 2 Server 3

re-encrypt

& mix

re-encrypt

& mix

re-encrypt

& mix

2. Encrypted inputs are mixed:

Proof ProofProof

Recall: Discrete Logarithm Assumption

• p, q primes such that q|p-1• g is an element of order q and generates a

group Gq of order q• x in Zq, y = gx mod p• Given (p, q, g, y), it is computationally hard to

compute x– No polynomial time algorithm known– p should be 1024-bits and q be 160-bits

• x becomes the private key and y becomes the public key

Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

ElGamal Encryption

• Encryption (of m in Gq):– Choose random r in Zq– k = gr mod p– c = myr mod p– Output (k,c)

• Decryption of (k,c)– M = ck-x mod p

• Secure under discrete logarithm assumption

Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

ElGamal Example: dummy• Let’s construct an example• KeyGen:

– p = 11, q = 2 or 5; let’s say q = 5– 2 is a generator of Z11*– g = 22 = 4– x = 2; y = 42 mod 11 = 5

• Enc(3):– r = 4 k = 44 mod 11 = 3– c = 3*54 mod 11 = 5

• Dec(3,5):– m = 5*3-2 mod 11 = 3

Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

(t+1,n)- Secret Sharing Motivation: to secure the cryptosystem against t (< n/2) corruptions Split the secret among n entities so that

any set of t+1 or more entities can recover the secret an adversary who corrupts at most t entities, learns nothing about the secret

Tool: Shamir’s Polynomial Secret Sharing

f(z) degree t polynomial (mod q) f(0) x

f(i) ssi

INSECURE SECURE

Gi

ii qlssx )(mod

Polynomial interpolation:

for any G, s.t. |G|=t+1

(n=7, t=3)

Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

Re-encryption techniqueInput: a ciphertext (k,c) wrt public key y

1. Pick a number r’ randomly from [0…q-1]

2. Compute k’ = kgr’ mod p c’ = cyr’ mod p

3. Output (k’, c’)

Same decryption technique!

Compute m k’c’-x

Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

A simple Mix

(k1, c1)

(k2, c2).

.

.(kn, cn)

RE-ENCRYPT

RE-ENCRYPT

(k’1,c’1)

(k’2,c’2).

.

.(k’n,c’n)

(k’’1,c’’1)

(k’’2,c’’2).

.

.(k’’n,c’’n)

Note: different cipher text, different re-encryption exponents!

And to get privacy… permute, too!

(k1, c1)

(k2, c2).

.

.(kn, cn)

(k’’1,c’’1)

(k’’2,c’’2).

.

.(k’’n,c’’n)

Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

And, finally…the Proof

• Mix servers must prove correct re-encryption– Given n El Gamal ciphertexts E(mi) as input– and n El Gamal ciphertexts E(m’i) as output

– Compute: E( mi) and E(=m’i) – Ask Mix for Zero-Knowledge proof that these ciphertexts

decrypt to same plaintexts

Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks

Anonymizing Network in practice: Tor

• A low-latency anonymizing networkhttp://www.torproject.org/

• Currently 1000 or so routers distributed all over in the internet

• Can run any SOCKS application on top of Tor• Peer-based: a client can choose to be a router• A request is routed to/fro a series of a circuit of three

routers• A new circuit is chosen every 10 minutes• No real-world implementation of re-encryption mix as yet

Lecture 7.2: Privacy and Anonymity Using Anonymizing Networks